MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9b3b368ead42e40cc95eec1086d998fef8248e47985c15c45458c6415ffdca1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9b3b368ead42e40cc95eec1086d998fef8248e47985c15c45458c6415ffdca1
SHA3-384 hash: 4a0065f3fdb8a64f5869a95b87cb2a93feda07d387db026ccea5fe62015b27e93529223b409f54aa433886d1a7b33961
SHA1 hash: eee0889d8ae2c1de464e361b6d730ae76303a7a4
MD5 hash: 542db1b86fee91bd3230eeed10ff2962
humanhash: september-angel-nuts-magazine
File name:AWB # Ref907853880911.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'319'936 bytes
First seen:2023-03-02 19:30:52 UTC
Last seen:2023-03-02 21:36:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:RUWUUe3MzSSV93QMOEAlBWBEW0EjPNrc/EXEZjHp8SYZVeiQIRRyrlIR4F38H04F:bjSSDYXWSUPy/TZjHWJ5RyxIeRKM
Threatray 60 similar samples on MalwareBazaar
TLSH T1BE55B82809FC0AF2C5B1F1FD9FE4E753BD8488E6A6049D9982834B8D555391720AFD3E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB # Ref907853880911.exe
Verdict:
Malicious activity
Analysis date:
2023-03-02 19:34:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c4569c46-9667-43c9-8297-471b0048bf97

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371275/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1864.25589.22789.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6400f977bbedb8176ff242bb/reports/54cfc03c-c5c8-4700-a546-f6283b802736/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f9b3b368ead42e40cc95eec1086d998fef8248e47985c15c45458c6415ffdca1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41253179-6a25-4c20-9051-83a7428bcd2e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1186066
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 818932 Sample: AWB # Ref907853880911.exe Startdate: 02/03/2023 Architecture: WINDOWS Score: 100 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected AgentTesla 2->59 61 6 other signatures 2->61 7 zTDActSgBywS.exe 5 2->7         started        10 AWB # Ref907853880911.exe 7 2->10         started        process3 file4 63 Multi AV Scanner detection for dropped file 7->63 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->65 67 May check the online IP address of the machine 7->67 73 2 other signatures 7->73 13 zTDActSgBywS.exe 7->13         started        17 schtasks.exe 1 7->17         started        19 zTDActSgBywS.exe 7->19         started        27 2 other processes 7->27 35 C:\Users\user\AppData\...\zTDActSgBywS.exe, PE32 10->35 dropped 37 C:\Users\...\zTDActSgBywS.exe:Zone.Identifier, ASCII 10->37 dropped 39 C:\Users\user\AppData\Local\...\tmp7110.tmp, XML 10->39 dropped 41 C:\Users\...\AWB # Ref907853880911.exe.log, ASCII 10->41 dropped 69 Adds a directory exclusion to Windows Defender 10->69 71 Injects a PE file into a foreign processes 10->71 21 AWB # Ref907853880911.exe 15 2 10->21         started        23 powershell.exe 21 10->23         started        25 schtasks.exe 1 10->25         started        signatures5 process6 dnsIp7 43 104.237.62.211, 443, 49702 WEBNXUS United States 13->43 45 192.168.2.1 unknown unknown 13->45 47 api.ipify.org 13->47 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->75 77 Tries to steal Mail credentials (via file / registry access) 13->77 79 Tries to harvest and steal browser information (history, passwords, etc) 13->79 29 conhost.exe 17->29         started        49 smtp.yandex.ru 77.88.21.158, 49701, 49703, 587 YANDEXRU Russian Federation 21->49 51 api4.ipify.org 173.231.16.76, 443, 49700 WEBNXUS United States 21->51 53 api.ipify.org 21->53 81 Installs a global keyboard hook 21->81 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f9b3b368ead42e40cc95eec1086d998fef8248e47985c15c45458c6415ffdca1/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-02 16:37:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gz3g2hk2qxebtev53aqq3mzr7xyeshepgc4cxcfiwggifp73sqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06cd81198082d8438712ab708be1ef02d57bfc3a5bc65553aa5be350f0cd6081
AgentTesla
19146932c4a283f9e7580b7c6c729f81e1e3c7ad6012556f0b7059d8c4af559e
AgentTesla
3047d199e9540948a25c577cc9181b77d26708c2539c660706a8fd12fec2db1b
AgentTesla
32369a358b4448ddac71ca827be83465a2afc4be4d64b8693fbc0bac455b08a1
AgentTesla
48fbd6968e8aa1914d0eb20fea7f0b3b6d84458379ca56eaa21a2d86c79191d9
AgentTesla
7cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430
AgentTesla
85d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8
AgentTesla
b97359d81ff705942e503b8a9636d0260a6de0d6c7d00fe6a104e6413eebf5b6
AgentTesla
bc3278a0b906345cc7501a28fc5b4addbc862edf1ba611d033113d97cdc02af5
AgentTesla
ca4ae8153f345ff67fb3b4adbba7ed2714dcde706bdf9641d312da6b1aca426c
AgentTesla
+ 50 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230302-x8c56aea6y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
8299a9baa29446baf77f6a9162d788d3d07a4a54478c65b79609375397bfabc5
MD5 hash:
2bb6f2d08773ce5a91cc0d333f5e81ef
SHA1 hash:
c46509ba2a51976c2ddabfad58f608f3a5ac4005
Link:
https://www.unpac.me/results/d98cf4b7-53df-4465-b6ba-1e1ccdc5d659/
SH256 hash:
1bab001c090f2f208e39247f8eeaeb77a0740bc9be7fa755cd57a863b3d22dd3
MD5 hash:
90b3109cf9cc5342015fc1583a78b282
SHA1 hash:
bdddff1c96296a0dc9f8d808e3b2d5829a15d2d2
Link:
https://www.unpac.me/results/d98cf4b7-53df-4465-b6ba-1e1ccdc5d659/
SH256 hash:
ae60259be2f648f5ed12107f854c6c304cae75890449db92838ead8fa3238908
MD5 hash:
c5d41107e032460c86038c8116fde671
SHA1 hash:
391a226ac4e7fdd42853650131f20ff802298b39
Link:
https://www.unpac.me/results/d98cf4b7-53df-4465-b6ba-1e1ccdc5d659/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/d98cf4b7-53df-4465-b6ba-1e1ccdc5d659/
SH256 hash:
633bd7eb6f5884f6e7a5651cdfa72f7cdd2f64ac6a9290d71ae509f3eff52893
MD5 hash:
6833ac8f058cccfb4ff145368ac38eae
SHA1 hash:
196fd196101dce4e0125390d39ea92674a714163
Link:
https://www.unpac.me/results/d98cf4b7-53df-4465-b6ba-1e1ccdc5d659/
SH256 hash:
f9b3b368ead42e40cc95eec1086d998fef8248e47985c15c45458c6415ffdca1
MD5 hash:
542db1b86fee91bd3230eeed10ff2962
SHA1 hash:
eee0889d8ae2c1de464e361b6d730ae76303a7a4
Link:
https://www.unpac.me/results/d98cf4b7-53df-4465-b6ba-1e1ccdc5d659/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9b3b368ead42e40cc95eec1086d998fef8248e47985c15c45458c6415ffdca1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/371275/

Comments